An ad-verification company has uncovered multiple hacker networks involved in auto-redirect attacks with payloads of mobile click fraud, tech support scams, and malicious installations. GeoEdge estimates the scam could cost publishers and advertisers $1.13 billion annually.
GeoEdge identified seven distinct classes of redirect attacks as well as major hacker networks. These families of attacks, and the hacker networks that use them, are responsible for hundreds of millions of monthly impressions.
In a few of the attacks, the auto-redirect was taking the user out of the browser and into app stores. The redirect method in mobile devices usually redirects to the App Store or Google Play Store rather than simply mimicking the usual desktop tricks.
GeoEdge also found evidence of click fraud. The mobile browser opens multiple invisible iframes and calls multiple URLs and ultimately executes fraudulent clicks. In this particular attack, GeoEdge identified a whitelist of hundreds of domains where the attack would actually occur. The ad loads a script from Amazon AWS S3 and checks the domain to see whether it should execute. If the specific domain is on the whitelist, the code will embed hidden iframes in the browser and click on the ads, according to GeoEdge's security research, titled Auto-Redirects.
Broken down by damages, auto-redirects cost the advertising industry an estimated $210 million annually and another $920 million through ads with click fraud.
Hidden redirects are programmed to run click-fraud campaigns. The report, which analyzes about 650 million impressions, delves into redirects, evasive tactics, and how to discover redirect code.
Auto-redirects make up 48% of malvertising events, with malicious URL pre-click far behind at 18%. The U.S. accounts for 48% of auto-redirects -- nearly five times as many as Canada, which comes at No. 2, and Australia at No. 3.
About 27% of malvertising events occur on desktops and 72% on mobile devices, with 57% on Apple iOS and 15% on Google Android.
Notifications that look like they come from Google or Apple falsely alert users that their devices are infected or that they have been given a free iPhone, pushing them to download malware or dial a scam number.
The schemes are similar to those used for non-redirecting attacks, but by taking users to an entirely separate window rather than a banner ad, the scam appears to be more legitimate.
For example, a webpage that is wholly constructed to look like Microsoft’s site can seem more genuine than a simple banner ad. Attacking banks is difficult, while replicating a bank’s web page and getting users to hand over their info is comparatively easy.
To mobile users, a "System Warning!" in the pop-up notification style that appears to come from the search engine or publisher's site can seem too real to ignore. This makes mobile redirects particularly effective for click fraud and for phishing and mining personal data.
The hacker networks identified by GeoEdge redirected users to nearly a dozen apps in the App Store and Google Play Store, including the Star Wars: Galaxy of Heroes game made by Electronic Arts.
Confirmed. Major uptick since the beginning of December 2017. And ongoing.
Laurie, I have both laugh and cry at the same time when I read this. Crying for all the publishers who have gotten hurt by the scammers. The laugh is because the perfect ad delivery system that was developed around 15 to 20 years ago is not even close to being perfect. It's closer to giving a block of cheese to a pack of rats. When the pack is done with that block of cheeze they move on to something else to gorge on.
The current ad delivery system is not only outdated it has become a threat to many hard work publisheres. What needs to change is to get away from automation and going back to human to human intervention of the ads to be published. The problem is millions and billions of dollars have been invested in automation. Get rid of it now.
On our website we publish custom presented ads that include sweepstakes and contest for many Fortune company. These ads cannot be hacked or scammed. I put my 100 percent guaranteed safety on not being scammed. Only a few publishers can say the same. Yet, Many ad agency think it is too good to be true.
It time to have a serious chat about what is wrong with automated ads and how to fix the problem instead of ignoring the problem.